Development And Features Of The Caine Open Source Forensic Platform

We decided to implement the CAINE distribution through the use of open source software. There are several reasons behind this choice. The open source universe owns a large slice of the Computer Forensics software market. Although the open source tools do not provide a commercial certification of their capabilities, the presence of a global community ensures a continuous software development, feedback and improvement.

This ensures that the software bundled with the distribution will be always reasonably up-to-date. Furthermore, thanks to a constant team work and code sharing, the most important and used forensic open source software guarantees transparency and repeatability of the investigation process. By publishing source code, the Computer Forensic community can examine and validate the procedures used to produce digital evidence. This model allows a very low error rate because all bug fixes would be made public, and a stable code base can be developed fairly quickly.

Open Source Software (OSS) can be defined as any software which is distributed along with its source code and in other situations source code can be accessed by paying the reasonable reproduction cost. A proper definition of OSS supported by Free Software Movement can be much broader but for the purpose of present paper it is limited to access the complete source code of any software to know its inner working mechanism.

There is tendency in the public and of the courts to presume that evidence reconstruction through complex software yield accurate results. However, the engineers should demonstrate the court the systematic and random errors to the stakeholders so that courts are not driven by the presumption of correctness. For the OSS, every step in reconstruction process is verifiable, theoretically giving complete perception of the error providing its possible root cause. OSS makes their source code and documentation of procedures and assumption used in the algorithms and coding available for peer review thereby determining the impact on the system. The open nature of OSS provides the opportunity to the community to object to specific procedures and bring in necessary modification before acceptance of any technique.

OSS is generally favoured by the academic communities. Computer software manufacturers offer heavy discounted or free licenses to academic institutions so that the students there becomes part of their market share once they start their professional career. It is true that most of the academic institutions lack the funding to acquire proprietary software but the choice of OSS is based on much deeper understanding. When greater academic freedom and minimal central control is required to bring necessary modification, if necessary, the OSS are given preference over corporate options. Apart from the hands-on approach of OSS for maintenance, continuously updated and new software should be provided to the students at tertiary level.

For a professional forensic expert it is very essential to rely and to have confidence on the software and tools used in the cyber investigation which primarily is based on peer acceptance of the product. The feature of OSS to examine and analyse the actual source code can aid in developing question attitude and critical thinking in the students of digital forensic science. Therefore, OSS provides deeper understanding of any result obtained through any particular software for e.g. utility used in data extraction from any android phone.

Suppose, X is a software corporation which develop a range of cyber forensic related software for different specific tasks. Now if any cyber forensic examiner needs to use any of the tools offered by X for any particular purpose, he needs to be trained in the course pertaining to X only. After his training he will be familiar with the terminology and range of tools offered by X and such person is reluctant to change to serve the marketing purpose of commercial entity.

The situation mentioned above is in contrast with the philosophy of open software. By using open source tools the digital forensic examiner can better understand what a specific tool does, how it does and other tools which can be integrated to create suitable environment. This choice of modification and integration is not available with closed system software. Education institute should provide foundational knowledge and learning skills rather than training them in specific software products so that they can gain full benefits of commercial tools as well when appropriate.

Virtual Machine for Computer Forensics –the Open Source Perspective

Digital forensic involves acquiring subject evidence into the investigator’s device to analyse it so that it can be presented before the court of law in legally accepted manner. The process of acquiring evidence from the subject device (confiscated hardware device) should not be equated with taking copy of the data onto the device of the investigator because as the technology evolves large volume of data is transient and not located in a single device. With the cloud computing in place metadata is stored at servers in data centres which calls for new approach to get insight about the dynamic relationship of the investigated system with the computer network.

This particular insight can be assessed without further damage to evidence collected through the technique of virtualisation to recreate the crime scene. Computer virtualisation is difficult process to implement because every step involved can prevent any contamination of evidence to investigate the environment as closely as possible. It can be completely accepted that to recreate virtual environment which resembles the actual crime scene virtualisation is appropriate procedure to produce legally acceptable evidence.

Solaris Containers, Sun xVM, OpenVM, QEMU, Virtual PC, VirtualBox, VMWare, Xen and z/VM are some of the full and processor virtualisation software with forensic stability ranging from good to very good based on subjective assessment.

Now, digital forensic experts can either recreate the acquired copy of the data of the investigated system by booting it as guest or coexist on the same hardware in a virtual environment. It must be asserted that virtualisation is conceptually simple and at the same time relatively difficult to implement in order to obtain unaltered legally acceptable evidence. There are large number of factors that digital forensic expert and any computer engineer needs to consider to execute virtualisation as planned.

For example, investigators needs to locate and look at internal data structure of both third-party forensic tools and targeted system to bring harmony in the virtualisation process. The targeted system can be alive or dead making the investigators unable to know about the internal structures, also known as the semantic gap problem as data is lost in translation. The aim of this section is to highlight that open sourced tools are universally acceptable for virtualisation in digital forensic purpose.

The aim of digital forensic investigator behind using virtualisation technique is to recreate the crime scene after actual happening of any cyber-crime so that he can establish the link between the evidence acquired and the crime. There are two ways to establish casual connection between the identical image operating system (OS) or any part thereof carefully acquired from the targeted system (a) booting the image on identical hardware and (b) booting the image as guest along with original system on the same hardware.

In case of first approach, we need to know about how Windows OS reacts to hardware change at the time of booting. When acquired image of Windows OS is booted on different underlying hardware, we must know about how it react to such changes. Windows OS will require reactivation if product verification fails at each login and it can also request installing required device drivers upon detecting different hardware. In both these scenarios it could render the forensic findings as legally invalid and cannot be used. In case of second approach, the acquired image is booted as guest along with original OS on the same hardware but unfortunately it also suffers from Windows activation issue.

Accessing the acquired image of evidence using open source based environment from different OS installed as a host is more promising to address the issues in previously mentioned approach. Using Windows OS and Linus as host on the common hardware along with set of open sourced tools does not require drastic change in the approach and save the investigator from very expensive closed proprietary solutions. Further if investigators are provided with Linux environment which is as easy as its windows counterpart then they can complement the findings on parallel basis. The internal mechanism or source code of closed software are taken for granted and verification of findings for zero intrusiveness into the original files retrieved can be critically challenged. On the other hand, access to full code allow verification of full understanding of the internal behaviours and findings which many researcher stress as very important advantage of open source software used in digital forensic science.

The commercial tool are usually very well documented but their internal codes are kept secret for obvious commercial. Such nature of commercial tools can invalidate the results even if small error occurs and findings can be held inadmissible in a court of law. This approach require shift from Windows to Linux environment in order to fully appreciate the set of open sourced tools for the virtualisation purpose in digital forensics. One pertinent characteristic of this approach is that it do not burn the bridges between both the environments. When the acquired image is analysed on either Windows as guest or Linux as host the investigators can benefited from powerful set of techniques and procedures not available in other environment.

OpenSUSE, Ubuntu, Fedora, Mandriva, Debian etc. are some of the open sourced linux based distributions which can provide most suitable experience with most updated and mature features. For the purpose of this part of the paper we would be focusing on OpenSUSE which provides user friendly virtualisation products for Windows environment users. VirtualBox is one powerful yet user friendly tool part of standard OpenSUSE package. VirtualBox support large number of guests including latest versions of Windows in wizard form. Following is the few properties of VirtualBox which are of particular for digital forensic expert:

Full Control of External Drive

CD and DVD mounted on the common hardware can be made accessible for virtual guest environment.

Cloning

Cloning is fast way to duplicate files on acquired image to the host environment allowing the investigator to use or apply various tools and procedures without the fear of damaging the evidence.

Saving the Machine State

This option offer the investigators to save the current state of the guest environment on the host one and continue from the state it was stopped after the reboot in the form of suspending the process in current state.

Snapshot

This option prevents the virtual guest from causing serious damage to the system by saving its current state without powering it off. If any change or action taken by the investigator in the guest environment have the potential of damaging the system then he can use this option to restore the previous snapshot discard any change to go back to the last best known configuration.

Write-through Mode

Write-though mode is valuable part of virtualisation investigation to document the logs of all actions or operation taken by the investigator in another hard drive in permanent form external to the guest environment.

Open Computer Forensic Architecture a Way to Process Terabytes of Forensic Disk Images

The processing of evidence involves gathering of data from acquired device, unlocking file system and file type, filtering unwanted files from wanted files and convert the retrieved files into standardised readable format. It is undeniably agreed that the time phase needed to be investigated is the large amount of data is not growing in equitable manner. In the cloud based services it is not uncommon to find terabytes of data in relatively small entities. Cyber criminals are using advance hardware to make advantage of such services offered by large multinational companies requiring special analysts and sophisticated cross analysis of data to establish casual links between the criminal act and digital evidence.

With the advent of different computer languages to support different platforms from mobile to computers the file system and format diversity is also growing. Furthermore usage of tools and software to analyse metadata is getting main stream and important aspect of digital forensic investigation. Ilook, FTK, Encase, Sleuthkit (forensic tools) and ZyFind, Spss Clementine and Autonomy (data gathering tools) are some of the relevant software used by investigative agencies to process metadata.

The lack of universal functionality is common issue faced by the digital forensic investigators and lack of integration and adding certain functions to make it more suitable in particular circumstances. Sometimes above mentioned tools suffers due to random error in between the process and low automation causing delay and manual interaction. The Digital Expertise Team of the Dutch National Police Agency have developed a tool named Open Computer Forensic Architecture (OCFA), which can rapidly read and analyse metadata in automated manner to produce results in legally desirable format. Following are the features OCFA and any modern metadata forensic analytic tool as per their research:

Preserving the chain of evidence

The underlying principle also relevant in metadata analysis is admissibility of analysis that is produced by the tool. The chain of evidence should not be broken from the raw data that is inserted into the tool for analysis and the insight received from such analysis.

Openness

The scope of the analysis tool shouldn’t be kept limited instead dynamic in order to allow the investigator to add features necessary before hand. For example, the investigator may need to access file in PDF or TEXT formats, hence making it possible such files internally or externally.

Scalability

The tool should be able to run on multiple platforms thus reducing compatibility issues.

Stability

The system should be able to have enough stability so that it won’t crash the system down. Usually when a large amount of data is processed it causes lags in the system which it may not able to handle in some situations. Then the focus should be reduce the impact on overall analysis and the ability to continue from the point of time when the lag actually occurred.

Open Source Live Distributions for Computer Forensics

Digital forensics is the science to extend the investigative technique to retrieve any information having evidentiary value either stored or transmitted in a digital format. The four main phases that a forensic examiner is expected to includes collection, examination, analysis and reporting which can be carried out with the help of proprietary and open source software. The open source software in this regard lacks from interoperability between number of heterogeneous tools and result from the software at the end to each successive phase to generate ultimately a final report. The solution is Computer Aided Investigative Environment (CAINE) that integrate existing open source software as modules which aims to integrate each four successive phases of forensic science to auto-generate final report with the help of user-friendly graphic interface.

OSS Initiative is decentralised in nature where global community develop the software by ensuring improvement, feedback, updates, code-sharing and source code verification. Unfortunately such decentralised maintenance require experienced programmers and users to contribute in the upward development of OSS. Another issue is non-cooperating developer communities causing the investigator to gather data from standalone heterogeneous sources. The command-line user interface of majority of these OSS keeps the large chunk of digital forensic investigators aloof as they are not familiar with such interface.

And in response to these issues mentioned above, CAINE is developed to provide easy extension of its core functions, targeting non-technical user base and integration of heterogeneous tools in order to generate autonomous final report.

Following are the open source tools available within CAINE covering the four phases of forensic science:

Collection: Automated Image & Restore (AIR), Guymager, Terminal with log save

Examination and Analysis: Foremost and Scalpel, Autopsy, SFDumper, Stegdetect and Ophcrack

Report Building Phase: This is a relevant feature of CAINE for investigators which helps them to create well-structured and informed report to avoid any unnecessary technical details for the purpose of communication during the investigation or examination of digital evidence. There can be the case that digital forensic expert may have to testify to provide the validity of the procedures adopted along with examination results. For that purpose the brief notes and reports noted by the investigators can be of great value bring clear and complete understanding of the techniques adopted. Currently the available open source software provide reports which are too technical to be presented in a court hence it require manual intervention and a lot of hard-work.

Instead CAINE follows a semi-manual procedure which involves automatic compilation of highly customizable brief reports from heterogeneous software within CAINE. This compilation is used by the digital investigator to create final report required by the law enforcement agencies. CAINE involves Perl Template Toolkit (PTT) which is a flexible template processing tool aggregating every contribution made in the entire step till the extraction of legally relevant evidence. PTT compile all the written output of each and every tools within CAINE in the form of temporary reports which pipeline into single final report.

CAINE is novel forensic environment which offer user friendly interface in place of command line interface within the help of some well-known open source forensic software. Such environment can help the investigators to perform their task much more structured way. The graphic interface provided right from collection and analysis of evidence to the final report is one of the most appreciated and unique function of CAINE not available in any other digital forensic environment.

Open Source Software based Automatic Detection of Suspicious Activities in Digital System

Online infrastructure is the backbone of the economic and banking system in global context facilitating real time online transfer and business activities such as share markets making the globe, a single market. For that same reason it is highly cyber-attack prone and cyber criminals are always targeting the system to take benefit of any digital vulnerability in one or other way. The task of securing the system can be further divided into four subdivisions i.e. evaluation, protection, detection and response. Due to the large sheer size of data and huge numbers of activity point it is not possible to manually monitor such systems so as evaluate the activities and detect any possible threats. In order to ensure the safety of any digital system of such large scale ethical hackers and experts prefer monitoring systems to detect any suspicious activities, filter out any unwanted threats and narrow down the harmful activity which can be dealt on manual basis to avoid possible intrusion. Such monitoring systems are called Intrusion Detection System (IDS) which detect any anomaly in the system for human intervention.

It is fundamental block present between the large amounts of data transmitted in the system protecting it from being exploited by hackers. It can generate alerts whenever any suspicious activity is detected on the basic of level of sensitivity. To reach their objective, hackers use series of attacks instead of single one and whenever that happens, IDS generate alert for the security administrator. In order to evaluate and ensure security of the network after detection, the analysis of the correlation between the alerts generated and security network can provide much needed insight to make the system more secure. Alert correlation is one process which can provide global view of the network to focus on the strategies to counter such attacks. Following are the four most common methods of alert correlation used by cyber experts:

• Aggregation of alerts on the basis of similarity between attributes.
• Based on some predefined scenarios attack scenarios employed by the attackers.
• On the basis of consequences of an attack with the reconditions of another one
• On the basis of variety of information obtained from different security system.

Vector Clock is also another technique proposed by Lamport in 1978 on the notion of logical clock. Logical clocks can provide the real time of events happening in distributed environment independently of any other event and without any value change. It assign an unique identity of each event happening in a distributed network to model events as sequence of large process.

Visual Analysis of Log Information (VALI) is an open source alert correlation tools which can be used to generate user friendly graphs allowing the administrator to establish correlation between the alerts to discover complex attacks. There are two types of graphs generated by VALI while monitoring the system, (i) Detailed graph representing all the reported alerts in the order of time it detected and (ii) Reduced graph which represent a higher level view of the distinct events and their sequences.

• It identifies the distinct IP addresses in all of the reported alerts.
• It creates the different vector clocks, whose sizes are equal to the number of distinct IP address found in above step.
• For each of the reported alerts, it identifies the source and destination addresses, and then creates two events: one that corresponds to the “sending” of the attack and the other that represents the “reception” of that attack.
• In order to determine which events are interrelated, VALI applies the rules of vector clocks. We must remember that this mechanism allows us to determine if two events are concurrent or one is the predecessor of the other.
• Finally, it creates the graphs that show the reported alerts and the connections between them.

Following below is the primary components of VALI which facilitate the administration in monitoring the network:

• Alert Pre-processing takes in the information which corresponds to the alert reported by IDS which is being stored in text file format.
• Correlation engine is based on the concept of vector clock therefore it assign a unique logical time to all reported events and further highlight any relationship between such happening of events.
• Graph generation is the next step in the process which is a convenient and simple view of reported data to prioritise the vulnerable sector of the network as compared to text format
• By selecting parameters in available in the interactive user interface of this tools, the examiner can sort the alerts on the basis of range of associated information such as IP address, date, hour and alert description. The resultant information can be assign different geometric shapes to distinguish between types of information.

In this paper we presented an alert correlation model based on the concept of vector clocks. We also presented VALI which is our own implementation of the correlation model. This tool can be used by security analysts to produce graphs in order to present the information in a visual format. VALI not only relieves the user from analyzing text files but also allows him to discover the existing relationships between the reported alerts in simple way. Although the correlation model presented in this paper is not the solution to all of the needs of security analysts, we think that it can be used to discover and identify the different activities that comprise a complex attack and therefore to have a global view of what is happening to their systems. This visual representation replaces the need of focusing on hundreds or thousands of individual alerts that could originally seem to be unrelated.

The open software community is continuously developing new functionality and sophisticated tools in response to the increased incidence of computer crimes in the society.